Merge pull request #13 from rohitcoder/feat/added-severity

rohitcoder · web-flow · commit 8ca6aa160b85 · 2025-01-23T23:55:00.000+05:30
Added Severity logic and severity query feature
diff --git a/connection.yml.sample b/connection.yml.sample
@@ -3,7 +3,34 @@ notify:
   suppress_duplicates: True
   slack:
     webhook_url: https://hooks.slack.com/services/T0XXXXXXXXXXX/BXXXXXXXX/1CIyXXXXXXXXXXXXXXX
-
+  jira:
+    username: "amce@org.com"
+    server_url: "https://amce.atlassian.net"
+    api_token: "JIRA_API_TOKEN_HERE"
+    project: "SEC"
+    issue_type: "Task"
+    labels:
+      - "hawk-eye"
+    assignee: "soc-team@amce.com"
+    issue_fields:
+      summary_prefix: "[Hawk-eye] PII Exposed - "
+      description_template: |
+        A Data Security issue has been identified:
+        
+        {details}
+severity_rules:
+  critical:
+    - query: "length(matches) > `10` && contains(['EMAIL', 'PAN'], pattern_name)"
+      description: "Detected more than 10 Email or Pan exposed"
+  high:
+    - query: "length(matches) > `10` && contains(['EMAIL', 'PAN'], pattern_name) && data_source == 'slack'"
+      description: "Detected more than 10 Email or Pan exposed in Slack"
+  medium:
+    - query: "length(matches) > `5` && length(matches) <= `10` && contains(['EMAIL', 'PAN'], pattern_name) && data_source == 'slack' && profile == 'customer_support'"
+      description: "Detected more than 5 and less than 10 Email or Pan exposed in Customer support Slack workspace"
+  low:
+    - query: "length(matches) <= `5`"
+      description: "Detected less than 5 PII or Secrets"
 sources:
   redis:
     redis_example:
diff --git a/hawk_scanner/internals/system.py b/hawk_scanner/internals/system.py
@@ -1,3 +1,4 @@
+import jmespath
 from rich.console import Console 
 from rich.table import Table
 import json, requests, argparse, yaml, re, datetime, os, subprocess, platform, hashlib
@@ -541,6 +542,40 @@ def SlackNotify(msg, args):
             except Exception as e:
                 print_error(args, f"An error occurred: {str(e)}")
 
+def evaluate_severity(json_data, rules):
+    if 'severity_rules' not in rules:
+        rules = {
+            'severity_rules': {
+                'critical': [
+                    {'query': "length(matches) > `20`", 'description': "Detected more than 20 PII or Secrets"},
+                ],
+                'high': [
+                    {'query': "length(matches) > `10` && length(matches) <= `20`", 'description': "Detected more than 10 PII or Secrets"},
+                ],
+                'medium': [
+                    {'query': "length(matches) > `5` && length(matches) <= `10`", 'description': "Detected more than 5 PII or Secrets"},
+                ],
+                'low': [
+                    {'query': "length(matches) <= `5`", 'description': "Detected less than 5 PII or Secrets"},
+                ],
+            }
+        }
+    
+    for severity, conditions in rules['severity_rules'].items():
+        for condition in conditions:
+            query = condition['query']
+            description = condition['description']
+            if jmespath.search(query, json_data):
+                # Add severity details to the JSON data
+                json_data['severity'] = severity
+                json_data['severity_description'] = description
+                return json_data
+
+    # If no match, add default severity
+    json_data['severity'] = "unknown"
+    json_data['severity_description'] = "No matching rule found."
+    return json_data
+
 def enhance_and_ocr(image_path):
     # Load the image
     original_image = Image.open(image_path)
diff --git a/hawk_scanner/main.py b/hawk_scanner/main.py
@@ -38,9 +38,11 @@ def execute_command(command, args):
     return module.execute(args)
 
 
-def group_results(results):
+def group_results(args, results):
     grouped_results = defaultdict(list)
     for result in results:
+        connection = system.get_connection(args)
+        result = system.evaluate_severity(result, connection)
         grouped_results[result['data_source']].append(result)
     return grouped_results
 
@@ -231,8 +233,7 @@ def main():
         system.print_error(args, "Please provide a command to execute")
         sys.exit(1)
 
-    grouped_results = group_results(results)
-
+    grouped_results = group_results(args, results)
     if args.json:
         if args.json:
             with open(args.json, 'w') as file:
diff --git a/readme.md b/readme.md
@@ -269,7 +269,9 @@ Note: If you don't provide any command, it will run all commands (firebase, fs,
 HAWK Eye uses a YAML file to store connection profiles for various data sources. The connection.yml file is located in the config directory. You can add new profiles to this file to enable HAWK Eye to scan additional data sources. The following sections describe the process for adding new profiles to the connection.yml file.
 
 
-### Your connection fille will look like this
+### Your connection file will look like this
+
+For the full connection schema, have a look at [connection.yml.sample](connection.yml.sample).
 
 ```yaml
 notify:
diff --git a/requirements.txt b/requirements.txt
@@ -1,5 +1,6 @@
 boto3
 PyYAML
+jmespath
 rich
 mysql-connector-python
 pymysql

-Original file line number
+Diff line change
@@ @@ -1,5 +1,6 @@ @@
 boto3
 PyYAML
 +jmespath
 rich
 mysql-connector-python
 pymysql